[libssh/el5] Security fix for CVE-2014-8132.

Fri Dec 19 19:01:50 UTC 2014

commit 1cf8b0d3a3f51dcd632dd70c234b03df9e3e3f14
Author: Andreas Schneider <asn at cryptomilk.org>
Date:   Fri Dec 19 18:16:18 2014 +0100

    Security fix for CVE-2014-8132.

 CVE-2014-8132-libssh-0.5.5.patch |   46 ++++++++++++++++++++++++++++++++++++++
 libssh.spec                      |    7 +++++-
 2 files changed, 52 insertions(+), 1 deletions(-)
---

diff --git a/CVE-2014-8132-libssh-0.5.5.patch b/CVE-2014-8132-libssh-0.5.5.patch
new file mode 100644
index 0000000..9ae9cfd
--- /dev/null
+++ b/CVE-2014-8132-libssh-0.5.5.patch
@@ -0,0 +1,46 @@
+From f2e14e00ff0afdb7e45a595dc4c5f9e50d413b4d Mon Sep 17 00:00:00 2001
+From: Jon Simons <jon at jonsimons.org>
+Date: Sat, 18 Oct 2014 23:23:26 -0700
+Subject: [PATCH] CVE-2014-8132: Fixup error path in ssh_packet_kexinit()
+
+Before this change, dangling pointers can be unintentionally left in the
+respective next_crypto kex methods slots.  Ensure to set all slots to
+NULL in the error-out path.
+
+Signed-off-by: Jon Simons <jon at jonsimons.org>
+Reviewed-by: Andreas Schneider <asn at cryptomilk.org>
+
+(cherry picked from commit 2ced24ddd67a261dc364ad4d8958c068c1671ae7)
+Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
+---
+ src/kex.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/kex.c b/src/kex.c
+index dedf286..db35183 100644
+--- a/src/kex.c
++++ b/src/kex.c
+@@ -286,7 +286,7 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+   for (i = 0; i < 10; i++) {
+     str = buffer_get_ssh_string(packet);
+     if (str == NULL) {
+-      break;
++      goto error;
+     }
+ 
+     if (buffer_add_ssh_string(session->in_hashbuf, str) < 0) {
+@@ -333,6 +333,11 @@ SSH_PACKET_CALLBACK(ssh_packet_kexinit){
+ error:
+   ssh_string_free(str);
+   for (i = 0; i < 10; i++) {
++    if (server_kex) {
++      session->server_kex.methods[i] = NULL;
++    } else {
++      session->client_kex.methods[i] = NULL;
++    }
+     SAFE_FREE(strings[i]);
+   }
+ 
+-- 
+2.2.0
+
diff --git a/libssh.spec b/libssh.spec
index fdca037..ce67adf 100644
--- a/libssh.spec
+++ b/libssh.spec
@@ -1,6 +1,6 @@
 Name:           libssh
 Version:        0.5.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        A library implementing the SSH2 protocol (0xbadc0de version)
 License:        LGPLv2+
 URL:            http://www.libssh.org/
@@ -12,6 +12,7 @@ Source1:        https://red.libssh.org/attachments/download/50/libssh-0.5.5.tar.
 Patch0:         libssh-0.5.4-disable-latex-documentation.patch
 Patch1:         libssh-0.5.4-fix-html-doc-generation.patch
 Patch2:         libssh-0.5.5-CVE-2014-0017.patch
+Patch3:         CVE-2014-8132-libssh-0.5.5.patch
 
 BuildRequires:  cmake
 BuildRequires:  doxygen
@@ -40,6 +41,7 @@ applications that use %{name}.
 %patch0 -p1 -b .disable-latex-documentation
 %patch1 -p1 -b .fix-html-doc-generation
 %patch2 -p1 -b .libssh-0.5.5-CVE-2014-0017.patch
+%patch3 -p1 -b .CVE-2014-8132-libssh-0.5.5.patch
 
 # Remove examples, they are not packaged and do not build on EPEL 5
 sed -i -e 's|add_subdirectory(examples)||g' CMakeLists.txt
@@ -89,6 +91,9 @@ rm -rf %{buildroot}
 %{_libdir}/libssh_threads.so
 
 %changelog
+* Fri Dec 19 2014 - Andreas Schneider <asn at redhat.com> - 0.5.5-3
+- Security fix for CVE-2014-8132.
+
 * Wed Mar 05 2014 - Andreas Schneider <asn at redhat.com> - 0.5.5-2
 - resolves: #1072191 - Fix CVE-2014-0017.
 - resolves: #1072741 - Fix CVE-2014-0017.
